Sandboxed applications can modify screen settings

A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
Yes, Every time.
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1: Sandboxed applications can change screen resolution & steal focus trough various ways. I’ve used an application named NirCmd which you can either download it from “attached files” or from homepage.
2: I’ve made up a batch with the following code :

@echo off
nircmd.exe setdisplay 800 600 32

3: Run the batch file.
[b]One or two sentences explaining what actually happened:[/b]
Screen resolution was changed to 800x600x32bit
[b]One or two sentences explaining what you expected to happen[/b]:
Sandboxed applications should not change resolution as malicious applications could be made to disallow the user to make a choice. Apparently, sandboxed applications can also steal focus (dissalow the user outside the window and prevent the user to change the resolution)-- this is normal behavior for online games, for example, because it is a method of protection against tampering with the game mechanics. However, malicious applications can make use of these methods as well regardless of HIPS level.  In worst case, the user should be prompted if the application tries to steal focus or modify screen resolution.
[b]If a software compatibility problem have you tried the conflict FAQ?[/b]:
[b]Any software except CIS/OS involved? If so - name, & exact version[/b]:
[b]Any other information, eg your guess at the cause, how U tried to fix it etc[/b]:
User Guide can be found [url=]here[/url]. 
"Restricted" and "Untrusted" are not affected.
Disallowing sandboxed applications to change screen resolution (only) will not be enough. 
[u]B. YOUR SETUP[/u]
[b]Exact CIS version & configuration[/b]:
[b]Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV[/b]:
[b]Have U made any other changes to the default config? (egs here.)[/b]:
[b]Have U updated (without uninstall) from CIS 5 or CIS6?[/b]:
     [b]if so, have U tried a a a clean reinstall - if not please do?[/b]:
[b]Have U imported a config from a previous version of CIS[/b]:
     [b]if so, have U tried a standard config - if not please do[/b]:
[b]OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used[/b]:
OS: Windows 7 Home Premium 64-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.140303-2144)
UAC: Disabled
Account type: Administrator
V. Machine: Not used
[b]Other security/s'box software a) currently installed b) installed since OS, including initial trial security software included with system[/b]:
a=None.        b=None.

[attachment deleted by admin]

I’m not sure that this is a bug if only Partially Limited and Limited are affected by this. In that case thought, I can certainly see this as worthy of a wish. However, have you yet tried Fully Sandboxed? I would hope that it would not be able to make permanent changes to the real system (in terms of changing the screen resolution) when run in the Fully Virtualized Sandbox, but I want to make sure.


Yes. “Fully Virtualized” is affected.

While the issue is different with ‘Bug 685’, they do share a common factor.
It appears that running command line or command line utilities (Batch files) sandboxed can affect the real system in some circumstances.

The application used is not a batch file. Sorry for the confusion. It is only launched trough a batch file because you have to enter command line parameters.

In that case I believe this would fall under bug 620 (which sadly is not on the forum but only entered in the tracker). This entry is for Commands issued from the command line when the command-line processor is virtualised can affect the real system. That seems like exactly what is happening here. Thus, there is no need for another bug report. If you wish, I can edit the first post so that it is for the same bug, and attach the tracker number. That may make it easier for users to keep track of this issue. qmarius, what do you think?

Also, about sandboxed applications being able to modify the screen settings, if you wish you can create a Wish Request for this (although I do worry that the devs will dismiss it as Restricted and Untrusted protect against it). However, it is not suitable for a bug report for Partially Limited and Limited. I hope you understand.

Thank you.

  1. OK. I do understand that. Not sure if it is the same bug report because I didn’t read the report you mentioned. If the bug report does refer to csrss then yes, it is the same report and it solves the problem with NirCmd (the application that I gave as an example). If you want, you can edit my report any time.

  2. The other side of the problem (which is not solved/reported from what I understand)-- There is an existing issue where sandboxed applications (that require administrator rights, usually games) steal focus of the screen. These application disallow the user to change window by setting on-top of other applications (e.g. CIS) and by looping this procedure. Like I said, usually online games do this. If you want, I can edit my post or create another bug report.

Thank you.

This vulnerability to command-line code run in the FV sandbox underlies many issues. Therefore, that is why there is a single entry just for the command-line.

Perhaps I am misunderstanding this, but are there not situations in which a user may see this as preferable. By this I mean if a user runs a game, and it is unknown, they would see it as a good thing that it is still able to alter the screen settings so that it can run correctly, while at the same time be prevented from doing any major harm to the computer. Thus, that’s why I don’t see it as a bug that this is allowed for the first two protection levels (although I do see how it is an issue for many users). Personally, I would like to see it prevented, at least for Limited, but from the devs point of view I know that it is not a bug. Thus, the best thing which can be done for this is submit a Wish Request.

Does that make sense, or am I misunderstanding this issue?


These applications cannot run in “Limited” or more restricted levels because they require exclusive administrator rights. For a game it might be preferable, but how about a malicious application that makes use of such methods?
This issue alone might be harmless, however combined with bug report here + incorrect HIPS settings [Mouse +/- Keyboard] it could control alerts without letting the user know.

CIS should be secure by design/default- restrict sandboxed applications to interfere with the gui or/and make it stealth to the sandbox.

I do accept “Partially Limited” as the “most compatible” with applications. Instead, I do not accept such behavior to be permitted by “Fully Virtualized”.

I understand, and hope the other issue will be quickly fixed. Personally, I also would like to see this behavior changed. However, by the rules which define what is a bug and what is a Wish, this seems much more suitable for a Wish.

Agreed. However, the underlying issue by which Fully Virtualized is able to be ‘bypassed’ has already been reported. Hopefully it will be fixed in the next update, although I currently have no information one way or the other.


I will try to come up with a wish request after the next version is released, if the issue is not fixed, although it might not be accepted.

Thanks again.


No sorry required, it was probably myself more than you that added the confusion so I apologise back. :wink:

qmarius, would you mind if I moved this to Resolved?

Not at all. Please do what you think is appropriate.

Thanks again.

Thank you. I will now move this to Resolved as the issue (as it relates to FV) has already been reported and the other part is not suitable for a bug report, but is suitable to a Wish Request.

If you have any questions please feel free to ask.

Thank you.